Re: [OAUTH-WG] dpop terminogly

Brian Campbell <> Mon, 05 April 2021 22:58 UTC

Return-Path: <>
Received: from localhost (localhost []) by (Postfix) with ESMTP id D01793A2B88 for <>; Mon, 5 Apr 2021 15:58:04 -0700 (PDT)
X-Virus-Scanned: amavisd-new at
X-Spam-Flag: NO
X-Spam-Score: -2.097
X-Spam-Status: No, score=-2.097 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_BLOCKED=0.001, SPF_HELO_NONE=0.001, SPF_PASS=-0.001, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no
Authentication-Results: (amavisd-new); dkim=pass (2048-bit key)
Received: from ([]) by localhost ( []) (amavisd-new, port 10024) with ESMTP id 5ld2I91doofK for <>; Mon, 5 Apr 2021 15:58:00 -0700 (PDT)
Received: from ( [IPv6:2a00:1450:4864:20::233]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by (Postfix) with ESMTPS id DC7F83A2B87 for <>; Mon, 5 Apr 2021 15:57:59 -0700 (PDT)
Received: by with SMTP id f16so14307385ljm.1 for <>; Mon, 05 Apr 2021 15:57:59 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;; s=google; h=mime-version:references:in-reply-to:from:date:message-id:subject:to :cc; bh=DZ6ARyjTLwFnQUPV0visI6KnwvrH88wH3YCNA8JpTXI=; b=cFRVNS6l9t7Mt+hVcAA+yiOjs1P7VKfIyZ0CfajgMZ0F2+JX9io2Snih3/zCUx+jz2 gehgA4cWtGg8bq4i1PUmKbNaepRRYkMqwcoptPz5Ypuf2wnaaG01rDQSON60igFkXaAe Z6j4Ig8r4RETVVs6lZDe0G4+jni9u+bWJAPO7CEN6szyGy4El2yBIyvtSztis91X3kAz fHbHSalaHt+K5xsl8U9yN/m5dUtl+NEC4W2Ny2zFP+ybVt6sen1/9cos9LRBN8LZGGvN 0DqWc5qiaXn18FeFn9xpKA6klpvhP9/a87N5b+3+sHepbqb5SMNtE31h30ttMpPbOIAf MDMg==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;; s=20161025; h=x-gm-message-state:mime-version:references:in-reply-to:from:date :message-id:subject:to:cc; bh=DZ6ARyjTLwFnQUPV0visI6KnwvrH88wH3YCNA8JpTXI=; b=auMnw1+hK43aOZiughhLeHsxwunLuhJ7J/ulJsv+NKFXrphTxdouMDhIZU5e9xRDjq 4ScGr7VFBRE0CJWg5JKQPL9C36GPtbgxuUd+y49hyx23EJeBQr3jGha3F0dHhBdIslEK vqtrgANbQmNqPe+iHjoRh2RiJ+j11X7VCaWMHhDCK2d2uARhGWBuYC4fWPDMgH8xHFCN e756PswfueP3mP8HHsbQlonFn1NqXt1xICpDJCXzLmkgYGrp7GqJksqlbna2lP1lvv6L XE6H19TnmYJ84zmEO5n87iOIAZMi0TXZeR1zrvdbBv+QPoieF+iFN0ozE2eYEFeSVQo7 LALA==
X-Gm-Message-State: AOAM531nDlCNIIaiVHO/m/1vebgYa6G5cFJE6vpkoQDawXmO7eahys8p pzS1RnsKUPZNBoVsg6kTJhddQU53AVBEewIXywDDOsk0QTqS+9gA1LIiIuJaPH/CDOgVyPIhZHF LPrtaNCOEddEhkA==
X-Google-Smtp-Source: ABdhPJz0mOI7sSHiiJY1QPtR8jIjk7DKnYrxbRUC7MCgx8sXce6yFE+abdnO+8sYjolzEsZuSKK2Bk5WQpnoKZS7Fps=
X-Received: by 2002:a2e:90c4:: with SMTP id o4mr16992575ljg.293.1617663476424; Mon, 05 Apr 2021 15:57:56 -0700 (PDT)
MIME-Version: 1.0
References: <>
In-Reply-To: <>
From: Brian Campbell <>
Date: Mon, 05 Apr 2021 16:57:30 -0600
Message-ID: <>
To: Nikos Fotiou <>
Cc: oauth <>
Content-Type: multipart/alternative; boundary="000000000000e0faf705bf41a08c"
Archived-At: <>
Subject: Re: [OAUTH-WG] dpop terminogly
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: OAUTH WG <>
List-Unsubscribe: <>, <>
List-Archive: <>
List-Post: <>
List-Help: <>
List-Subscribe: <>, <>
X-List-Received-Date: Mon, 05 Apr 2021 22:58:05 -0000

Hi Nikos,

The draft you've
referenced is several revisions out of date. Looking at will show the
current latest, which is currently

Some of that terminology has been cleaned up already. There are a couple
places where payload could be used rather than body that I'll change in the
next revision. I think that JWT header is probably more meaningful to most
readers than JOSE. And while it is technically a JOSE header, it's also a
JWS header, which is also a JWT header. This JWT is a JWS. Both have a
header. The same header.

On Sun, Apr 4, 2021 at 3:16 PM Nikos Fotiou <> wrote:

> Hi I am wondering if the following terminology is more appropriate for the
> DPoP draft (
> - Since a DPoP proof is a JWT encoded in a JWS may be it is better to say
> "DPoP proof payload" instead of "DPoP proof body" (end of page 4).
> - For the same reason use "JOSE header" instead of "JSON header"
> (beginning of page 5)
> - Moreover, here and there it is stated "the header of the JWT". AFAIU
> JWTs do not have headers themselves but the header is part of the JWS/JWE
> structure in which the JWT is encoded. So may be it is more appropriate to
> say "the JOSE header" instead of "the header of the JWT".
> Best,
> Nikos
> --
> Nikos Fotiou -
> Researcher - Mobile Multimedia Laboratory
> Athens University of Economics and Business
> _______________________________________________
> OAuth mailing list

_CONFIDENTIALITY NOTICE: This email may contain confidential and privileged 
material for the sole use of the intended recipient(s). Any review, use, 
distribution or disclosure by others is strictly prohibited.  If you have 
received this communication in error, please notify the sender immediately 
by e-mail and delete the message and any file attachments from your 
computer. Thank you._